Unauthorised AccessPhysical Penetration Testing For ITSecurity Teams

Wil Allsopp

A John Wiley and Sons, Ltd., Publication

ayyappan9780470682722.jpg

Unauthorised Access

Unauthorised AccessPhysical Penetration Testing For ITSecurity Teams

Wil Allsopp

A John Wiley and Sons, Ltd., Publication

This edition first published 2009 2009, John Wiley & Sons, Ltd

Registered officeJohn Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, United Kingdom

For details of our global editorial offices, for customer services and for information about how to apply for permission toreuse the copyright material in this book please see our website at www.wiley.com.

The right of the author to be identified as the author of this work has been asserted in accordance with the Copyright,Designs and Patents Act 1988.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any formor by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by the UKCopyright, Designs and Patents Act 1988, without the prior permission of the publisher.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be availablein electronic books.

Designations used by companies to distinguish their products are often claimed as trademarks. All brand names andproduct names used in this book are trade names, service marks, trademarks or registered trademarks of their respectiveowners. The publisher is not associated with any product or vendor mentioned in this book. This publication is designedto provide accurate and authoritative information in regard to the subject matter covered. It is sold on the understandingthat the publisher is not engaged in rendering professional services. If professional advice or other expert assistance isrequired, the services of a competent professional should be sought.

ISBN 978-0-470-74761-2

Typeset in 10/12 Optima by Laserwords Private Limited, Chennai, IndiaPrinted and bound in Great Britain by Bell & Bain Ltd, Glasgow

www.wiley.com

To Nique for being herself and to my family for supportingand inspiring me.

Contents

Preface xi

Acknowledgements xv

Foreword xvii

1 The Basics of Physical Penetration Testing 1What Do Penetration Testers Do? 2Security Testing in the Real World 2Legal and Procedural Issues 4Know the Enemy 8Engaging a Penetration Testing Team 9Summary 10

2 Planning Your Physical Penetration Tests 11Building the Operating Team 12Project Planning and Workflow 15Codes, Call Signs and Communication 26Summary 28

3 Executing Tests 29Common Paradigms for Conducting Tests 30Conducting Site Exploration 31Example Tactical Approaches 34Mechanisms of Physical Security 36Summary 50

viii CONTENTS

4 An Introduction to Social EngineeringTechniques 51Introduction to Guerilla Psychology 53Tactical Approaches to Social Engineering 61Summary 66

5 Lock Picking 67Lock Picking as a Hobby 68Introduction to Lock Picking 72Advanced Techniques 80Attacking Other Mechanisms 82Summary 86

6 Information Gathering 89Dumpster Diving 90Shoulder Surfing 99Collecting Photographic Intelligence 102Finding Information From Public Sources and the

Internet 107Electronic Surveillance 115Covert Surveillance 117Summary 119

7 Hacking Wireless Equipment 121Wireless Networking Concepts 122Introduction to Wireless Cryptography 125Cracking Encryption 131Attacking a Wireless Client 144Mounting a Bluetooth Attack 150Summary 153

8 Gathering the Right Equipment 155The Get of Jail Free Card 155Photography and Surveillance Equipment 157Computer Equipment 159Wireless Equipment 160Global Positioning Systems 165Lock Picking Tools 167Forensics Equipment 169Communications Equipment 170Scanners 171Summary 175

CONTENTS ix

9 Tales from the Front Line 177SCADA Raiders 177Night Vision 187Unauthorized Access 197Summary 204

10 Introducing Security Policy Concepts 207Physical Security 208Protectively Marked or Classified GDI Material 213Protective Markings in the Corporate World 216Communications Security 218Staff Background Checks 221Data Destruction 223Data Encryption 224Outsourcing Risks 225Incident Response Policies 226Summary 228

11 Counter Intelligence 229Understanding the Sources of Information Exposure 230Social Engineering Attacks 235Protecting Against Electronic Monitoring 239Securing Refuse 240Protecting Against Tailgating and Shoulder Surfing 241Performing Penetration Testing 242Baseline Physical Security 245Summary 247

Appendix A: UK Law 249Computer Misuse Act 249Human Rights Act 251Regulation of Investigatory Powers Act 252Data Protection Act 253

Appendix B: US Law 255Computer Fraud and Abuse Act 255Electronic Communications Privacy Act 256SOX and HIPAA 257

Appendix C: EU Law 261European Network and Information Security Agency 261Data Protection Directive 263

x CONTENTS

Appendix D: Security Clearances 265Clearance Procedures in the United Kingdom 266Levels of Clearance in the United Kingdom 266Levels of Clearance in the United States 268

Appendix E: Security Accreditations 271Certified Information Systems Security Professional 271CommunicationElectronics Security Group CHECK 272Global Information Assurance Certification 274INFOSEC Assessment and Evaluation 275

Index 277

Preface

This is a book about penetration testing. There is nothing innately newabout that there are dozens of books on the subject but this one isunique. It covers in as much detail as is possible the oft overlooked art ofphysical penetration testing rather than, say, ethical hacking. We wontteach you how to use port scanners or analyze source code. There areplenty of places you can learn about that and, to a certain degree, ifyoure reading this book then Im going to assume you have groundingin the subject matter anyway. The purpose of this book is twofold: toprovide auditing teams with the skills and the methodology they needto conduct successful physical penetration testing and to educate thoseresponsible for keeping attackers out of their facilities.

My personal experience in physical penetration testing began aboutseven years ago when, following a scoping meeting to arrange an ethicalhacking engagement at a data centre in London, the client asked almostas an aside, By the way, do you guys do social engineering, that sort ofthing you know try and break in and stuff?. I responded (like any juniorconsultant sitting next to a senior salesman) that of course we did! As itturned out we thought about it, decided to give it a shot and . . . failed.Miserably. Not surprisingly.

My team and I were hackers, lab rats. In effect, we didnt know the firstthing about breaking into buildings or conning our way past securityguards. This is a situation now facing an increasing number of ethicalhacking teams who are being asked to perform physical testing. We knowit needs to be done and the value is obvious, but where to begin? Thereare no books on the subject, at least none available to the general public(other than the dodgy ones on picking locks published by Loompanics

xii PREFACE

Unlimited). So I decided to fill the void and write one. It has a specialemphasis on combining physical testing with information security testingsimply because ethical hacking teams are most likely to be employed forthis kind of work (at least in the private sector) and because ultimately itsyour information systems that are the most likely target for any attacker.However, anyone with a need to understand how physical security canfail will benefit from this book the culmination of a number of yearsof experience performing all manner of penetration testing in all kinds ofenvironments.

Who this Book Is For

Anyone who has an interest in penetration testing and what that entailswill benefit from this book. You might have an interest in becominga penetration tester or you might work in the industry already with anaim to learn about physical penetration testing. You might want to learnhow attackers gain access to facilities and how this can be preventedor perhaps youre considering commissioning a physical penetration testand want to learn what this involves.

This book is written for you.

What this Book Covers

Unauthorized Access discusses the lifecycle of a physical penetration testfrom start to finish. This starts with planning and project managementand progresses through the various stages of execution. Along the way,youll learn the skills that are invaluable to the tester including socialengineering, wireless hacking, and lock picking.

The core subjects discuss what takes place during a physical penetrationtest, what you can expect and how to deal with problems. Equipmentnecessary to carrying out a test is given its own chapter.

Chapter 9 includes case studies that draw on my own personal testingexperience, which I hope will inspire you. Chapters 10 and 11 focus onprotecting against intruders and corporate spies and how this relates tothe cornerstone of information security; the security policy.

The appendices deal with miscellaneous subjects such as law, accredita-tions and security clearance.

PREFACE xiii

How this Book Is Structured

The two most important chapters in this book are Chapter 2 and Chapter 3.These contain the core theory and practice of physical penetration testing.The chapters that follow it discuss in depth the skill sets you will berequired to master:

Chapter 4 This chapter discusses how to manipulate human nature.Social engineering is the art of the con man and probably the singlemost crucial set of skills you will learn. The practice of these skills isat the core of any successful operating team.

Chapter 5 Generally this concerns defeating locks. This chapterassumes no previous knowledge and these skills are not difficult tomaster. This is a crash course.

Chapter 6 Knowledge is power; the more you have the more pow-erful you become. This chapter covers the basics of how and where togather information, from how to successfully leverage Internet searchtechnologies and databases through to the physical surveillance oftarget staff and facilities.

Chapter 7 Despite the security shortcomings of wireless networks(both 802.11x and Bluetooth) being well documented, many com-panies continue to deploy them. I discuss equipment, how to crackencryption and bypass other security mechanisms. I provide you short-cuts to get you up and running quickly and introduce some newertechniques for compromising wireless networks that will guaranteethat if youre using wireless in your business now, you wont be whenyou finish this chapter.

Chapter 8 This chapter offers an in-depth discussion of the equip-ment you need, where to get it and how to use it.

Chapter 9 This chapter offers a few historical scenarios taken frommy case history. Names have been changed to protect those whoshould have known better.

Chapter 10 This chapter provides basic information about what asecurity policy should cover. If youve read this far and still dont havea security policy, this chapter helps you write one.

Chapter 11 This chapter covers how to minimize your exposure toinformation leakage, social engineering and electronic surveillance.

Appendix A This provides a legal reference useful to UK testers. Appendix B This provides a legal reference useful to US testers. Appendix C This provides a legal reference useful when conducting

testing in the European Union.

Unauthorised AccessContentsPrefaceAcknowledgementsForeword1 The Basics of Physical Penetration TestingWhat Do Penetration Testers Do?Security Testing in the Real WorldLegal and Procedural IssuesKnow the EnemyEngaging a Penetration Testing TeamSummary

2 Planning Your Physical Penetration TestsBuilding the Operating TeamProject Planning and WorkflowCodes, Call Signs and CommunicationSummary

3 Executing TestsCommon Paradigms for Conducting TestsConducting Site ExplorationExample Tactical ApproachesMechanisms of Physical SecuritySummary

4 An Introduction to Social Engineering TechniquesIntroduction to Guerilla PsychologyTactical Approaches to Social EngineeringSummary

5 Lock PickingLock Picking as a HobbyIntroduction to Lock PickingAdvanced TechniquesAttacking Other MechanismsSummary

6 Information GatheringDumpster DivingShoulder SurfingCollecting Photographic IntelligenceFinding Information From Public Sources and the InternetElectronic SurveillanceCovert SurveillanceSummary

7 Hacking Wireless EquipmentPhotography and Surveillance EquipmentWireless Networking ConceptsIntroduction to Wireless CryptographyCracking EncryptionAttacking a Wireless ClientMounting a Bluetooth AttackSummary

8 Gathering the Right EquipmentThe Get of Jail Free CardComputer EquipmentWireless EquipmentGlobal Positioning SystemsLock Picking ToolsForensics EquipmentCommunications EquipmentScannersSummary

9 Tales from the Front LineSCADA RaidersNight VisionUnauthorized AccessSummary

10 Introducing Security Policy ConceptsPhysical SecurityProtectively Marked or Classified GDI MaterialProtective Markings in the Corporate WorldCommunications SecurityStaff Background ChecksData DestructionData EncryptionOutsourcing RisksIncident Response PoliciesSummary

11 Counter IntelligenceUnderstanding the Sources of Information ExposureSocial Engineering AttacksProtecting Against Electronic MonitoringSecuring RefuseProtecting Against Tailgating and Shoulder SurfingPerforming Penetration TestingBaseline Physical SecuritySummary

Appendix A: UK LawComputer Misuse ActHuman Rights ActRegulation of Investigatory Powers ActData Protection Act

Appendix B: US LawComputer Fraud and Abuse ActElectronic Communications Privacy ActSOX and HIPAA

Appendix C: EU LawEuropean Network and Information Security AgencyData Protection Directive

Appendix D: Security ClearancesClearance Procedures in the United KingdomLevels of Clearance in the United KingdomLevels of Clearance in the United States

Appendix E: Security AccreditationsCertified Information Systems Security ProfessionalCommunicationElectronics Security Group CHECKGlobal Information Assurance CertificationINFOSEC Assessment and Evaluation

Index